You’ll need tzsp2pcap, git, and some development libraries.
Configure on Mikrotik Router
Configure on Security Onion
sudo ufw allow 37008
sudo apt install git build-essential libpcap0.8-dev
git clone h[tt]ps://github.com/thefloweringash/tzsp2pcap.git
sudo cp tzsp2pcap /usr/local/bin
sudo tzsp2pcap -vv -f | sudo tcpreplay --topspeed -i <capture interface> -
You will now be capturing traffic from your selected Mikrotik interfaces and dumping it to your Security Onion capture interface.
An excellent use case for this is monitoring your wireless network (if using a combination wireless and wired router) or other interfaces such as PPoE or VPN tunnels that might not otherwise be tapped without additional hardware.
Note that this can have severe impact to the performance of your Mikrotik device. The more interfaces you choose to sniff, the more processing overhead when those interfaces become loaded with traffic. As an example, a Mikrotik RB2011 loaded with 50Mbit of ethernet traffic from a total of three sniffed interfaces maxed the CPU (“overlocked” to 750MHz) at 100% and started severly impacting other services running on the device.